TY - GEN
T1 - Drown
T2 - 25th USENIX Security Symposium
AU - Aviram, Nimrod
AU - Schinzel, Sebastian
AU - Somorovsky, Juraj
AU - Heninger, Nadia
AU - Dankel, Maik
AU - Steube, Jens
AU - Valenta, Luke
AU - Adrian, David
AU - Halderman, J. Alex
AU - Dukhovni, Viktor
AU - Käsper, Emilia
AU - Cohney, Shaanan
AU - Engels, Susanne
AU - Paar, Christof
AU - Shavitt, Yuval
N1 - Publisher Copyright: © 2016 Proceedings of the 25th USENIX Security Symposium. All rights reserved.
PY - 2016
Y1 - 2016
N2 - We present DROWN, a novel cross-protocol attack on TLS that uses a server supporting SSLv2 as an oracle to decrypt modern TLS connections. We introduce two versions of the attack. The more general form exploits multiple unnoticed protocol flaws in SSLv2 to develop a new and stronger variant of the Bleichenbacher RSA padding-oracle attack. To decrypt a 2048-bit RSA TLS ciphertext, an attacker must observe 1,000 TLS handshakes, initiate 40,000 SSLv2 connections, and perform 250 offline work. The victim client never initiates SSLv2 connections. We implemented the attack and can decrypt a TLS 1.2 handshake using 2048-bit RSA in under 8 hours, at a cost of $440 on Amazon EC2. Using Internet-wide scans, we find that 33% of all HTTPS servers and 22% of those with browser-trusted certificates are vulnerable to this protocol-level attack due to widespread key and certificate reuse. For an even cheaper attack, we apply our new techniques together with a newly discovered vulnerability in OpenSSL that was present in releases from 1998 to early 2015. Given an unpatched SSLv2 server to use as an oracle, we can decrypt a TLS ciphertext in one minute on a single CPU—fast enough to enable man-in-the-middle attacks against modern browsers. We find that 26% of HTTPS servers are vulnerable to this attack. We further observe that the QUIC protocol is vulnerable to a variant of our attack that allows an attacker to impersonate a server indefinitely after performing as few as 217 SSLv2 connections and 258 offline work. We conclude that SSLv2 is not only weak, but actively harmful to the TLS ecosystem.
AB - We present DROWN, a novel cross-protocol attack on TLS that uses a server supporting SSLv2 as an oracle to decrypt modern TLS connections. We introduce two versions of the attack. The more general form exploits multiple unnoticed protocol flaws in SSLv2 to develop a new and stronger variant of the Bleichenbacher RSA padding-oracle attack. To decrypt a 2048-bit RSA TLS ciphertext, an attacker must observe 1,000 TLS handshakes, initiate 40,000 SSLv2 connections, and perform 250 offline work. The victim client never initiates SSLv2 connections. We implemented the attack and can decrypt a TLS 1.2 handshake using 2048-bit RSA in under 8 hours, at a cost of $440 on Amazon EC2. Using Internet-wide scans, we find that 33% of all HTTPS servers and 22% of those with browser-trusted certificates are vulnerable to this protocol-level attack due to widespread key and certificate reuse. For an even cheaper attack, we apply our new techniques together with a newly discovered vulnerability in OpenSSL that was present in releases from 1998 to early 2015. Given an unpatched SSLv2 server to use as an oracle, we can decrypt a TLS ciphertext in one minute on a single CPU—fast enough to enable man-in-the-middle attacks against modern browsers. We find that 26% of HTTPS servers are vulnerable to this attack. We further observe that the QUIC protocol is vulnerable to a variant of our attack that allows an attacker to impersonate a server indefinitely after performing as few as 217 SSLv2 connections and 258 offline work. We conclude that SSLv2 is not only weak, but actively harmful to the TLS ecosystem.
UR - http://www.scopus.com/inward/record.url?scp=85076479391&partnerID=8YFLogxK
M3 - منشور من مؤتمر
T3 - Proceedings of the 25th USENIX Security Symposium
SP - 689
EP - 706
BT - Proceedings of the 25th USENIX Security Symposium
Y2 - 10 August 2016 through 12 August 2016
ER -